how to nat source IP inbound on asa5510 outside interface

Unanswered Question
Jan 20th, 2010
User Badges:

Hi


I have a query which is frankly stumping me at the moment.


A customer has a couple of web servers on their internal network. They need to provide access from external hosts to these servers on port 443. They have an ASA5510 which has static NAT to translate the inbound destination IP from an external address to the real internal address of the servers.  This all works fine as proved with 'capture'. I can see inbound packets being translated and squirted out the inside interface to the servers, via an internal L3 switch.


However, the ASA is NOT the default gateway of the internal L3 switch, so responses from the servers hit their default gw (the L3 switch) which for obvious reasons doesn't have a seperate route for every single internet host, so the L3 switch forwards the response to it's default gw which is a different firewall (not the ASA the request came in on).


So the problem is the client never sees the response from the server.


Without changing the default gw of the L3 switch, I believe the only way around this problem is to get the ASA to translate the inbound SOURCE IP address as well as the destination, so that the L3 switch can forward the responses from the server back to the ASA correctly.


However I'm unsure on how this should be configured.


Thanks in advance for any suggestions!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Wed, 01/20/2010 - 06:53
User Badges:
  • Cisco Employee,

Your idea is a good idea. You can use policy static or policy nat.


static (outside,inside) inside_address access-list change-source-ip


access-list change-source-ip permit ip host source_ip_internet host webserver_ip_public


nat (outside) access-list change-source-ip outside ---> you need the keyword outside

global (inside) interface


-KS

vpersaud001 Wed, 06/30/2010 - 11:10
User Badges:

Thanks!!! This policy nat helped me resolve an SSL vpn client issue.

vilaxmi Wed, 01/20/2010 - 21:41
User Badges:
  • Cisco Employee,

Hello,



Most optimum would be to use the correct defualt gateway, but if that is not possible, you can use policy NAT like below :


If a host (160.1.1.1) on outside world would like to access a website (192.168.1.1) on inside using a public IP (160.1.1.2)


access-list policy extended permit tcp host 160.1.1.1 192.168.1.1
Static (inside,outside) 160.1.1.2 access-list policy


nat (outside) access-list policy outside


global (inside) interface


Reason you need to use outside keyword, is that you are trying to use NAT for a lower security interface.


HTH


Vijaya

Actions

This Discussion

Related Content